Security Basics mailing list archives
RE: Blackberry Security concerns
From: Jason.Burzenski () americanhm com
Date: Fri, 15 Apr 2005 16:44:38 -0400
These are the documents that we found most helpful for the assessment (in no particular order). http://www.sans.org/rr/whitepapers/pda/258.php http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/6450 94/An_@stake_Security_Assessment.pdf?nodeid=644990&vernum=0 http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/7979 /278286/278425/Wireless_IT_Policy_and_IT_Administration.pdf?nodeid=340697&ve rnum=0 http://www.blackberry.com/products/software/server/exchange/upgrade.shtml?ty pe=3_5 http://www.blackberry.com/products/software/server/exchange/security.shtml This summary from Stefan Keller also provided this at the time I was doing the research. I've paraphrased a bit but this formed a good foundation for the recommendations we proposed. Top 5 Blackberry Security Recommendations 1. Disable pin-to-pin messaging 2. Enable password-protection on the device (strong passwords, expiration) 3. Disable the installation of 3rd party applications 4. Make user aware that data on the device is at risk (awareness) 5. Communicate the procedure for loss of device and emergency shutdown of service. Hope this helps. Jason -----Original Message----- From: Jason.Burzenski () americanhm com [mailto:Jason.Burzenski () americanhm com] Sent: Thursday, April 14, 2005 11:17 PM To: ddenton () PAYLESSOFFICE com; eric () piteduncan com; ntimperio () hitechnique com; security-basics () securityfocus com Subject: RE: Blackberry Security concerns If you review the blackberry security documentation, they advise it not be placed in the DMZ so it is more protected from attack. We just completed an assessment of a blackberry enterprise server and the weak points were identified on the exchange side and on the mobile device side. The BES never actually sees any data because the end-to-end encryption is between the exchange component and the device. Let me know if you need any help. I can send you some docs we used to facilitate the assessment in the morning. Blackberry's own security documentation and the assessment performed by eEye were most useful. Jason Burzenski -----Original Message----- From: Dan Denton [mailto:ddenton () PAYLESSOFFICE com] Sent: Thursday, April 14, 2005 4:44 PM To: Eric McCarty; Nicholas Timperio; security-basics () securityfocus com Subject: RE: Blackberry Security concerns I would have to agree. We did not need to open any incoming ports on our firewall to make the software work. -----Original Message----- From: Eric McCarty [mailto:eric () piteduncan com] Sent: Thursday, April 14, 2005 12:25 PM To: Nicholas Timperio; security-basics () securityfocus com Subject: RE: Blackberry Security concerns Blackberry Enterprise server initiates the connection so no additional incoming ports need to be opened. -----Original Message----- From: Nicholas Timperio [mailto:ntimperio () hitechnique com] Sent: Thursday, April 14, 2005 9:10 AM To: security-basics () securityfocus com Subject: Blackberry Security concerns Security-Basics - We have a client that is thinking about having Blackberry Enterprise Server installed on their Small Business Server. My first thought is, since this requires punching a hole through the firewall that we do not have an application layer proxy for, that this should exist on a demilitarized zone. Has anyone deployed the Blackberry Enterprise Server in a manner that they felt was secure? If so, what was done. Thanks, - Nicholas ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- Blackberry Security concerns Nicholas Timperio (Apr 14)
- <Possible follow-ups>
- RE: Blackberry Security concerns Nicholas Timperio (Apr 14)
- RE: Blackberry Security concerns Eric McCarty (Apr 14)
- RE: Blackberry Security concerns Beauford, Jason (Apr 14)
- RE: Blackberry Security concerns Dan Denton (Apr 14)
- Re: RE: Blackberry Security concerns pajustice (Apr 15)
- RE: Blackberry Security concerns Jason . Burzenski (Apr 15)
- RE: Blackberry Security concerns Jason . Burzenski (Apr 18)
- Re: Blackberry Security concerns Cesar Diaz (Apr 19)